MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6bd9bd06afd6e3464c43547fe5c41de9702c44cc21b765cf8fb41eb365b37dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6bd9bd06afd6e3464c43547fe5c41de9702c44cc21b765cf8fb41eb365b37dd
SHA3-384 hash: 7e4a708b34c4541d6440e7e15b301259477860e7e9672cbac310a07ab4909c3388be9712ab4441e21a95aae90322fc71
SHA1 hash: c8a8a5b9399533320ee646e3ce1ca30ad1251fe6
MD5 hash: b6bb227909f47ba9e84dfd185761b494
humanhash: victor-violet-video-cup
File name:GT09876545678.exe
Download: download sample
File size:1'270'784 bytes
First seen:2021-10-07 11:54:22 UTC
Last seen:2021-10-07 13:13:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'471 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:CRM2M7UrvD+8HD32qXCcKHBf7zNbM6gCkA/J9P2L+huWwn:bQvy8HNgGH
Threatray 347 similar samples on MalwareBazaar
TLSH T1EE45F1386202BDBEC23BEE7C84545A5D0C944C0716B394DCBAC96AED9475634B8BCE3D
File icon (PE):PE icon
dhash icon 5145032317177149 (1 x a310Logger, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
GT09876545678.exe
Verdict:
Malicious activity
Analysis date:
2021-10-07 12:00:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f27c2301-d210-44d8-99e5-d4086aa1912c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/195823/
Detection(s):
SecuriteInfo.com.Heur.MSIL.Androm.1.22447.11581.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Creating a file in the %temp% directory
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm obfuscated obfuscated packed
Link:
https://www.filescan.io/uploads/615ee01ae3d213d202b9d144/reports/aebcbf2f-8025-40b4-a4dc-9c41d44ebbcd/overview
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/76f9be03-86dc-4ba1-9880-da3f0a9fdf43
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/866405
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 498830 Sample: GT09876545678.exe Startdate: 07/10/2021 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Antivirus detection for dropped file 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 9 other signatures 2->58 8 GT09876545678.exe 3 7 2->8         started        process3 file4 32 C:\Users\user\AppData\...\document.exe, PE32 8->32 dropped 34 C:\Users\user\AppData\...behaviorgraphT09876545678.exe, PE32 8->34 dropped 36 C:\Users\...\document.exe:Zone.Identifier, ASCII 8->36 dropped 38 3 other malicious files 8->38 dropped 60 Creates an undocumented autostart registry key 8->60 62 Writes to foreign memory regions 8->62 64 Allocates memory in foreign processes 8->64 66 Injects a PE file into a foreign processes 8->66 12 GT09876545678.exe 8->12         started        15 GT09876545678.exe 8->15         started        18 wscript.exe 8->18         started        20 4 other processes 8->20 signatures5 process6 dnsIp7 68 Antivirus detection for dropped file 12->68 70 Multi AV Scanner detection for dropped file 12->70 72 May check the online IP address of the machine 12->72 74 Machine Learning detection for dropped file 12->74 40 checkip.dyndns.org 15->40 42 checkip.dyndns.com 132.226.247.73, 49851, 80 UTMEMUS United States 15->42 44 freegeoip.app 172.67.188.154, 443, 49852 CLOUDFLARENETUS United States 15->44 76 Tries to steal Mail credentials (via file access) 15->76 78 Tries to harvest and steal ftp login credentials 15->78 80 Tries to harvest and steal browser information (history, passwords, etc) 15->80 82 Wscript starts Powershell (via cmd or directly) 18->82 22 powershell.exe 18->22         started        46 104.244.42.1 TWITTERUS United States 20->46 48 twitter.com 104.244.42.129 TWITTERUS United States 20->48 50 192.168.2.1 unknown unknown 20->50 24 conhost.exe 20->24         started        26 conhost.exe 20->26         started        28 conhost.exe 20->28         started        signatures8 process9 process10 30 conhost.exe 22->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6bd9bd06afd6e3464c43547fe5c41de9702c44cc21b765cf8fb41eb365b37dd/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-10-07 11:55:11 UTC
AV detection:
17 of 45 (37.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=226zxudk7vxdizgegvd74xcb32lqfrcmyinxmxhy7na6wns3g7oq._file
Verdict:
unknown
Similar samples:
042745a4bcafbac658e73da50c2e281a3aaa9ecf81344e67b00d0c40e807621d
2cfa6e09ec6ebc184774238d6a497df43c5eed8c2c03e86e830400c8b7fc4ced
3023261456361410fc8e6f5ec4c22d0c2aa7d02fd62148de20819945e99a86a3
5b8f3956ac2be07fe773d9c294e5cbad0968e7fa99c5f6fd5d184caa512c5106
86b4bb9ea11ac97ecf7390c0e4e2979b69c294c22c65931ff734926c9540a0fd
8e1744ef99e2d9e8aa9447dd7495ea10c66c50d03125eda0574c1e29c71237ff
a484efc646ba0e97435959b7f4e87cf9a716d69623b13bc490a41e140dd296b7
d6882af91695b65b4113b5e072e39d7c1f1121d4984202c6c0063c3ebaea7fac
e2974131c2b7d7c62379556b860db19f2dd28dbd77eddf01bd0dba673c5cd6b8
+ 337 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/211007-n3fvescce4/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
b38b94af098d8ba8d754ffc529cffd0c4ecf3b580d73145f7bcf1c430f7d083e
MD5 hash:
c71fca8d10b3c41adb77cfa5fb686fb7
SHA1 hash:
1f9971d25d48757c54949d1f6f25d5afdab3450a
Link:
https://www.unpac.me/results/69002b13-c4e0-4b5f-a8d4-52408db55bdd/
SH256 hash:
4382105caf7ba6d0cc593f1d26bfe2b324819828a6308eb0e3121c3608afc8fa
MD5 hash:
09be7d98bc272d381b471a8067ab67fc
SHA1 hash:
7a7f37268a6f1cb5297c357854a98a7131dd57df
Link:
https://www.unpac.me/results/69002b13-c4e0-4b5f-a8d4-52408db55bdd/
SH256 hash:
3c1da240321fd54be4d16da80a2f86baf0b0810b2db46d11804031c28f19b296
MD5 hash:
bec8aa44481d90ed0a08acea3d4d6745
SHA1 hash:
095339da393449609f16711cfbd43d529cef9745
Link:
https://www.unpac.me/results/69002b13-c4e0-4b5f-a8d4-52408db55bdd/
SH256 hash:
d6bd9bd06afd6e3464c43547fe5c41de9702c44cc21b765cf8fb41eb365b37dd
MD5 hash:
b6bb227909f47ba9e84dfd185761b494
SHA1 hash:
c8a8a5b9399533320ee646e3ce1ca30ad1251fe6
Link:
https://www.unpac.me/results/69002b13-c4e0-4b5f-a8d4-52408db55bdd/
Malware family:
Phoenix
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d6bd9bd06afd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d6bd9bd06afd6e3464c43547fe5c41de9702c44cc21b765cf8fb41eb365b37dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/195823/

Comments